Link: Document sharing invitation template

calendar Jun 12, 2026  ·
Share on: linkedin copy

Detects inbound messages containing text indicating a document sharing invitation with the specific phrase 'has invited you to VIEW the following document:', commonly used in malicious document sharing schemes.

Sublime rule (View on GitHub)

 1name: "Link: Document sharing invitation template"
 2description: "Detects inbound messages containing text indicating a document sharing invitation with the specific phrase 'has invited you to VIEW the following document:', commonly used in malicious document sharing schemes."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and strings.contains(body.current_thread.text,
 8                       'has invited you to VIEW the following document:'
 9  )
10  and length(body.current_thread.links) > 0  
11attack_types:
12  - "Credential Phishing"
13tactics_and_techniques:
14  - "Social engineering"
15  - "Free file host"
16detection_methods:
17  - "Content analysis"
18id: "437a20d4-2ea1-5365-b060-fad8e7a6d32e"
to-top